Nix has built-in support for storing and fetching store paths from Amazon S3 and S3 compatible services. This uses the same binary cache mechanism that Nix usually uses to fetch prebuilt binaries from cache.nixos.org. In this example we will use the bucket named example-bucket.

If your binary cache is publicly accessible and does not require authentication, the simplest and easiest way to use Nix with your S3 compatible binary cache is to use the HTTP URL for that cache. For AWS S3 the binary cache URL for example bucket will be exactly https://example-bucket.s3.amazonaws.com. For S3 compatible binary caches ago have to consult your software's documentation. Your bucket will need the following bucket policy:

For AWS S3 the binary cache URL for example bucket will be exactly s3://example-bucket. Nix will use the default credential provider chain for authenticating requests to Amazon S3. Nix supports authenticated writes to S3 compatible binary caches but only supports Authenticated reads from Amazon S3. Additionally, the following limitations are in place for authenticated reads: The bucket must actually be hosted by Amazon S3 and not an S3 compatible service. The bucket must be within the us-east-1 region. The Amazon credentials, if stored in a credential profile, must be stored in the default profile. Your bucket will need a bucket policy allowing the desired users to perform the s3:GetObject action on all objects in the bucket.

Nix support fully supports writing to Amazon S3 and S3 compatible buckets. The binary cache URL for our example bucket will be s3://example-bucket. Nix will use the default credential provider chain for authenticating requests to Amazon S3. The following options can be specified as URL parameters to the S3 URL: profile The name of the AWS configuration profile to use. By default Nix will use the default profile. region The region of the S3 bucket. us–east-1 by default. endpoint The URL to your S3-compatible service, for when not using Amazon S3. Do not specify this value if you're using Amazon S3. This endpoint must support HTTPS and will use path-based addressing instead of virtual host based addressing. nix copy --to ssh://machine nixpkgs.hello s3://example-bucket?profile=cache-upload nix copy --to ssh://machine nixpkgs.hello s3://example-bucket?profile=cache-upload&endpoint=minio.example.com The user writing to the bucket will need to perform the following actions against the bucket: s3:ListBucket s3:GetBucketLocation s3:ListObjects s3:GetObject s3:PutObject s3:ListBucketMultipartUploads s3:CreateMultipartUpload s3:ListMultipartUploadParts s3:AbortMultipartUpload